Cattiaux, who has written iOS jailbreak applications and who works for French penetration-testing company Quarkslab, dissected the iMessage protocol and authentication to conclude that Apple itself can break iMessage encryption at any time… and the NSA probably can as well. Cattiaux’ presentation is posted here.

The encryption between iMessage clients and Apple servers during the encryption process is very strong– “preventing the development of 3rd party iMessage clients” – Cattiaux wrote.

The rest of the process has a few weaknesses.

First, all the traffic goes through Apple’s servers, which supply the encryption keys. By saving the keys and sending fake authentications to the clients involved, Apple can read an iMessage stream or even intercept, modify and re-send it without any indication security had been violated, Cattiaux wrote.

Apple’s mobile-device management also gives an iPhone user’s employer surprisingly insecure access. Devices connected to the iPhone Configuration Utility – Apple’s enterprise iPhone management application – get a second security certificate controlled by the company that is trusted in all encrypted SSL connections the device makes afterward. With the certificate and a proxy that re-routes SSL connections through a proxy server, employers can see all the unencrypted text traveling between the Apple device and Apple’s servers.

User passwords travel through SSL connections to iMessage servers, but they travel in clear text, so employers could easily collect the AppleIDs and passwords of all their iMessage-using employees.

Apple declined the IDG News Service request for a comment or clarification.

Cattiaux called for Apple to make its public-key-infrastructure and authentication process more transparent. He also said the weaknesses weren’t as bad as those in many mobile apps, and that iMessage was a decent option for anyone not sending information they genuinely expected to remain top secret: “MITM attacks on iMessage are unpractical to the average hacker, and the privacy of iMessage is good enough for the average user.”